JTAG instructions and hints
From NAS-Central Buffalo - The Linkstation Wiki
Revision as of 12:24, 18 February 2008 by Davy gravy (Talk | contribs)
| This article is currently a stub. You can help this Wiki by expanding it . This template will categorize articles that include it into Category:Stubs. |
Contents |
Introduction
TODO: Add generic info about JTAG and why it safes ones ass if he messes with the flash
Hardware
PPC-based-boxes
JTAG-cable from tampakuro/kuroguy
JTAG10-jtag-cable from http://www.soc-machines.com/
LS1
TODO: Add info about the additional Hardware mods needed to make JTAG working. Hint: bridge! + needed info about Flash structure
HG/HS
1) Installing headers TODO: what needs to be bridged?
Terastation
TODO: add specific Info if additional hardware mods are needed. + needed info about Flash structure
Terastation Pro v1
TODO: add specific Info if additional hardware mods are needed. + needed info about Flash structure
Mipsel-based boxes
TODO: Add info about the JTAG cable that works on the + needed info about Flash structure
LS2
Arm-based boxes
Currently we do not know if there are JTAG-Ports anywhere on the board. Tampakuro is tries to find out the JTAG Port of the LS Pro.
LS Pro/LS Live (arm9)
Flash structure
For the LSProV2, here is the output of flinfo while in u-boot:
Marvell>> flinfo
Bank # 1: SST SST39VF020 (2 Mbit)
Size: 256 kB,Bus Width: 1, device Width: 1.
Flash base: 0xfffc0000,Number of Sectors: 64 Type: REGULAR.
Sector Start Addresses:
00000000 (RO) 00001000 (RO) 00002000 (RO) 00003000 (RO) 00004000 (RO)
00005000 (RO) 00006000 (RO) 00007000 (RO) 00008000 (RO) 00009000 (RO)
0000a000 (RO) 0000b000 (RO) 0000c000 (RO) 0000d000 (RO) 0000e000 (RO)
0000f000 (RO) 00010000 (RO) 00011000 (RO) 00012000 (RO) 00013000 (RO)
00014000 (RO) 00015000 (RO) 00016000 (RO) 00017000 (RO) 00018000 (RO)
00019000 (RO) 0001a000 (RO) 0001b000 (RO) 0001c000 (RO) 0001d000 (RO)
0001e000 (RO) 0001f000 (RO) 00020000 (RO) 00021000 (RO) 00022000 (RO)
00023000 (RO) 00024000 (RO) 00025000 (RO) 00026000 (RO) 00027000 (RO)
00028000 (RO) 00029000 (RO) 0002a000 (RO) 0002b000 (RO) 0002c000 (RO)
0002d000 (RO) 0002e000 (RO) 0002f000 (RO) 00030000 (RO) 00031000 (RO)
00032000 (RO) 00033000 (RO) 00034000 (RO) 00035000 (RO) 00036000 (RO)
00037000 (RO) 00038000 (RO) 00039000 (RO) 0003a000 (RO) 0003b000 (RO)
0003c000 (RO) 0003d000 (RO) 0003e000 (RO) 0003f000
Background and Equipment
INCOMPLETE - Do Not Attempt At This Time
- These directions have been tested and checked on a LSProV2, with a Ubuntu 7.10 box (x86) and an Olimex ARM-USB-TINY jtag/usb programmer/debugger. Parallel port debuggers are certainly an option, but will probably yield lower speeds.
Setting Up OpenOCD
- Compiling
- Configuring and Starting OpenOCD
- Available Commands in OpenOCD
While in OpenOCD, entering the command help will yield a list of available commands and summary of help.
> help
help display this help
sleep sleep for <n> milliseconds
version show OpenOCD version
shutdown shut the server down
exit exit telnet session
log_output redirect logging to <file> (default: stderr)
debug_level adjust debug level <0-3>
jtag_speed set jtag speed (if supported) <speed>
scan_chain print current scan chain configuration
endstate finish JTAG operations in <tap_state>
jtag_reset toggle reset lines <trst> <srst>
runtest move to Run-Test/Idle, and execute <num_cycles>
statemove move to current endstate or [tap_state]
irscan execute IR scan <device> <instr> [dev2] [instr2] ...
drscan execute DR scan <device> [ dev2 ] [var2] ...
verify_ircapture verify value captured during Capture-IR <enable|disable>
var allocate, display or delete variable <name> [num_fields|"del"] [size1] ...
field display/modify variable field <var> <field> [value|"flip"]
script execute commands from <file>
xsvf run xsvf <file>
targets no help available
flash no help available
banks - list configured flash banks
info - print info about flash bank <num>
probe - identify flash bank <num>
erase_check - check erase state of sectors in flash bank <num>
protect_check - check protection state of sectors in flash bank <num>
erase - erase sectors at <bank> <first> <last>
write - write binary <bank> <file> <offset>
protect - set protection of sectors at <bank> <first> <last> <on|off>
nand no help available
pld programmable logic device commands
arm7_9 arm7/9 specific commands
write_xpsr - write program status register <value> <not cpsr|spsr>
write_xpsr_im8 - write program status register <8bit immediate> <rotate> <not cpsr|spsr>
write_core_reg - write core register <num> <mode> <value>
sw_bkpts - support for software breakpoints <enable|disable>
force_hw_bkpts - use hardware breakpoints for all breakpoints (disables sw breakpoint support) <enable|disable>
dbgrq - use EmbeddedICE dbgrq instead of breakpoint for target halt requests <enable|disable>
fast_writes - (deprecated, see: arm7_9 fast_memory_access)
fast_memory_access - use fast memory accesses instead of slower but potentially unsafe slow accesses <enable|disable>
dcc_downloads - use DCC downloads for larger memory writes <enable|disable>
etb_dump - dump current ETB content
armv4_5 armv4/5 specific commands
reg - display ARM core registers
core_state - display/change ARM core state <arm|thumb>
disassemble - disassemble instructions <address> <count> ["thumb"]
arm9tdmi arm9tdmi specific commands
vector_catch - catch arm920t vectors ["all"|"none"|"<vec1 vec2 ...>"]
arm926ejs arm926ejs specific commands
cp15 - display/modify cp15 register <opcode_1> <opcode_2> <CRn> <CRm> [value]
cache_info - display information about target caches
virt2phys - translate va to pa <va>
mdw_phys - display memory words <physical addr> [count]
mdh_phys - display memory half-words <physical addr> [count]
mdb_phys - display memory bytes <physical addr> [count]
mww_phys - write memory word <physical addr> <value>
mwh_phys - write memory half-word <physical addr> <value>
mwb_phys - write memory byte <physical addr> <value>
cfi no help available
reg no help available
poll poll target state
wait_halt wait for target halt [time (s)]
halt halt target
resume resume target [addr]
step step one instruction
reset reset target [run|halt|init|run_and_halt|run_and_init]
soft_reset_halt halt the target and do a soft reset
mdw display memory words <addr> [count]
mdh display memory half-words <addr> [count]
mdb display memory bytes <addr> [count]
mww write memory word <addr> <value>
mwh write memory half-word <addr> <value>
mwb write memory byte <addr> <value>
bp set breakpoint <address> <length> [hw]
rbp remove breakpoint <adress>
wp set watchpoint <address> <length> <r/w/a> [value] [mask]
rwp remove watchpoint <adress>
load_image load_image <file> <address> ["bin"|"ihex"]
dump_image dump_image <file> <address> <size>
load_binary [DEPRECATED] load_binary <file> <address>
dump_binary [DEPRECATED] dump_binary <file> <address> <size>
Starting OpenOCD and Connecting with Telnet
Verifying Flash and Flashing
Notes and Special Situations
Terastation Pro v2/Terastation Live (arm9)
Similar to the other arm9-based boxes from buffalo these 2 only have uboot in flash. everything else is read and executed from harddisc.
Software
See JTAG Software
PPC-based-boxes
How to use the JTAG-Tools
TODO: we need to link + describe either how to compile the tools and how to use the precompiled tools from the download-section
LS2 (mipsel-based)
How to use HairyDairyMaids debrick
TODO: adding info about how to use it
TIPS
Flashing the bootloader only
Updating via JTAG is very slow. This is not really surprising as the JTAG protocol is a bit-level serial protocol. Writing the firmimg.bin file can easily take 24 hours or longer.
TODO: because we can flash the firmimg.bin much faster from UBoot
|
| This article is currently a stub. You can help this Wiki by expanding it . This template will categorize articles that include it into Category:Stubs. |
